The DoT has decided that it will be going ahead with a 100 per cent domestic sourcing and has released a list of certified GPON suppliers. (…) Local companies that made it to the certified list include Tejas Networks, Prithvi Infosystems, Center for Development of Telematics (C-DoT), VMC Systems, Sai Systems, United Telecoms, and SM Creative.

This follows the decision by US House Intelligence Committee which branded ZTE and Huawei as national threat:

The House Intelligence Committee said that after a yearlong investigation it had come to the conclusion that the Chinese businesses, Huawei Technologies and ZTE Inc., were a national security threat because of their attempts to extract sensitive information from American companies and their loyalties to the Chinese government.

While is is good that the GoI decided to look beyond the Chinese companies when considering possible threats, the question it raises is, isn’t it turtles all the way down? Is it certified that the local companies will use 100% indigenously developed components and if not, why is it better to prefer a “Assembled in India” sticker?

The FOFN project is a high investment and long term project that will power the infrastructure of Indian network for some time to come. So it is prudent for the GoI to tighten the security but it cannot be an isolated event. Nor is it viable to blanket-ban all foreign companies and technologies from such infrastructure and other sensitive projects. I hope someone higher up is thinking and acting seriously on an Information Assurance program within the scope of Critical Infrastructure Protection.

General William Shelton, who heads Air Force Space Command and oversees the Air Force’s cyber operations, comments that Iran will be a “force to be reckoned with” in the future after it has perceivably strengthened its cyber defence and offense capabilities after the Stuxnet attacks.

“The Iranian situation is difficult to talk about,” Shelton told reporters. “It’s clear that the Natanz situation generated reaction by them. They are going to be a force to be reckoned with, with the potential capabilities that they will develop over the years and the potential threat that will represent to the United States.”

Has the chickens come home to roost or is this just more war mongering to get yet more defense buget share?

US Homeland Security Secretary Janet Napolitano’s recent comment that the administration has and will consider the participation of private companies in “proactive” cyber “counterattacks” has received its share of attention:

In discussing the private partnerships she is promoting to combat cyberattacks, Napolitano was asked if instead of just taking defensive measures, the government and companies should be launching proactive counterattacks against foreign-based culprits. “Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about,” noting someone else had raised the subject with her earlier Monday.

Before analysing this development and the concept in general, it needs to be stated that there seems to be some ambiguity, at least in my mind, about the statement(s) by Napolitano. Napolitano’s use of “proactive” and “counterattack” together, as reported by San Jose Mercury News, seems confusing since “proactive” is a term that is used usually along with the concept of “defense.” In risk management lingo ‘proactive’ denotes the act of taking initiative by acting rather than reacting to threat events, while ‘reactive’ actions respond to past event(s) rather than predicting and acting before these perceived event. Thus “proactive” gels well together with “defense”, which in military literature refers to the art of preventing an attack, to mean the act of defending against an imminent attack by taking action before the act of attack has happened. This flies completely against the concept of counter-attack which is about, duh, countering an attack that has happened, something that automatically classifies the act as being reactive.

My guess is that Ms. Napolitano did mean counter-attack but by “proactive” she was trying to emphasis the fact that the reaction from the US will not be limited to acts of defense but will include counter offensive moves. Either way, I did end up smiling when I read the double negative that Ms. Napolitano used:

“Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about,” (…)

Now that my confusion regarding the use of “proactive counterattack” is out in the open, let us get to the main point of discussion – use of private companies in proactive cyber attacks by nation states. In traditional military engagement, private military companies have long been used to supplement the operational capability of the nation state’s army. In recent years the role has increasingly moved from support of military personnels in areas like security of the military base, protecting the convoy etc., to a more traditional role played by active military personnels as part of an active war operation. The case of Academi (previously Blackwater) is a prime example of such private military companies.

The reasons have been numerous, the cost being the obvious but not the main one, which is to avoid scrutiny, including Congressional oversight in the US, that seems to be reseved for the military personnels of the nation-state. A similar reasoning can be used within the cyberspace as well. Private companies engaged in cyber operations, regardless of its nature (defensive, offensive, counter-attack, proactive), can be set up to evade deep scrutiny and congressional oversight. This gives them the flexibility to be a lot more liberal about the means and mechanisms used without having to worry about repercussions.

The practice also provides a good means to exploit the attribution problem, which has so far been an issue rather than a way out for the US (pdf). By engaging private civilian companies it becomes harder for the subject of the attacks to concretely state that they were indeed targeted by the US. Even if they did, the fact that the attacks cannot be tracked back to hav been originated from the networks of the US military complex gives the US enough excuses to assert that they were not aware of nor authorised such attacks. Such a setup has been used with good results by the Chinese and the Russians.

In the narrower context of counter-attacks, the domain of cyber differs from the rest of the domain of land, sea, air and space in a crucial way in that the conduits/medium that are used for the attacks, the networks consisting of the backbone of routers, cables and other physical and software based systems, are owned by private companies. The four traditional domains differ from cyber domain in that in each of the four cases, the conduit of attack (land, sea, air and space respectively) are usually owned, at least in the extended sense of the word, by the nation states that is attacking or being attacked. This makes it easier for constructing a case for involving private companies since after all they are direct front line causalities in the event of an attack.

Another reason is of course the simple practical fact that the talent pool of experts expands drastically if private companies are also considered as part of the “recruitment” space. Cyber is the only domain in the list of five where the private sector holds a big pie of capable, qualified individuals who can provide service in these operations. Public-private partnerships just makes sense.

The wholesale hiring of “ethical hackers” by NTRO, as reported by news outlets provides a seemingly similar setup in India with the crucial disadvantage that these “hired helps” are still directly associated with NTRO and hence NTRO can and will be held accountable for their actions, negating some of the crucial advantages of using private companies/individuals. What is needed is a deeper and longer term relationship between the government and private companies that makes defending the infrastructures that they both rely on as the central theme and working on means to do that, be it defensive postures or offensive gestures.

There are of course risks involved. Command structure gets blurred when the military structure merges with the private sector and without one, controlling these private parties becomes a risky process that cannot be taken for granted. This has been seen again and again in cases related to Blackwater. What if an unapproved action from the part of the private contractor is judged as an act of war by the other party and leads to a confrontational situation? A similar situation can arise when wrong magnitude of (counter)attack force is applied accidentally or otherwise by these third parties.

All these point to fact that use of private companies in cyber operations is tactically a good move and some would argue, a necessity. However it cannot be done at the drop of a hat since the “rules of engagement” is bound to be fickle in such symbiotic associations.

Stuxnet worm was first reported in June 2010 and was credited with several exploits, including sabotaging the Iranian nuclear reactors and possibly even causing the malfunction of the INSAT-4B communication satellite. Now, more than one year on, security experts think that they have stumbled upon a worm that is being described as the precursor to the next Stuxnet and potentially written by the same people who wrote the Stuxnet, or at least by someone who had access to the source code of the Stuxnet worm.

Named Duqu, the worm was first reported by the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary on 1st September 2011. The name given to the worm came about due to the “~DQ” prefix that was given to the files it created on the system that it infected. Further analysis by Internet security firm Symantec revealed that the worm may have been in the wild since November 2010 and has so far infected computers in eight countries, including India, and potentially four more.

Just like Stuxnet, Duqu makes use of a 0-day vulnerability against Microsoft to exploit the operating system and install the components of the worm stealthy and just like Stuxnet, it also installs a driver with a valid digital signature, the digital certificate used for this seem to have been stolen from a company in Taiwan.

However the similarities do not carry over to the suspected intention of the worms. It is now accepted that Stuxnet was written with the intention of compromising industrial control and monitoring systems, often called Supervisory Control and Data Acquisition (SCADA) systems and specifically targeted at the Iranian atomic program, while it is believed that Duqu does not contain any code related to industrial control systems and is primarily a malware designed to give the attacker complete control over the compromised machine remotely, often termed a Remote Access Trojan (RAT). It is also believed to install malwares that records keystrokes and collect other system information from the compromised machine. The attackers were most probably looking for information that could be used in a future attack, hence the description of Duqu being a “precursor to the next Stuxnet.” It does make one wonder as to what we may have missed that was the real precursor to the Stuxnet worm.

Other than the fact that machines in India have been infected with the Duqu virus, there is another curious connection to the Indian cyberspace. Malwares like Duqu use external Command and Control (C&C) servers as a means for the attackers to remotely control the malware, for example to download new executable onto the infected machine, exfiltrate sensitive information from them, update the malware itself and sometimes even to destroy or deactivate it. One of the only three C&C server identified for Duqu was hosted on the IP address 206.183.111.97. This IP address and the virtual private server (VPS) that it belonged to was being hosted by Web Werks, a Mumbai-based hosting company. According to the company, the VPS belonged to a client in Milan, Italy and because it was a system that was being managed by the client itself, Web Werks did not have any control over what was running in it.

According to reports, officials from the Indian Computer Emergency Response Team (CERT-In) have obtained an image of the VPS before taking it offline. Interestingly, there is no mention of the operation anywhere on CERT-In’s website and officials have refused to comment on the development as it pertains to ongoing investigation.

Getting hold of the C&C servers however doesn’t seem to have done the investigators a whole lot of good though. Recent reports from Symantec indicate that all the three C&C servers, including the one hosted at Web Werks have been setup to forward all the traffic from the worm to other servers, making the discovery of the final endpoint of the C&C chain hard to pinpoint.

The last few year have seen a drastic uptick in the incidents related to cyber crime and the case of Stuxnet and Duqu have shown us that the new generation of malware are being continually honed for purposes that go beyond pranks, notoriety or money.

Iran has been targeted by a second computer virus in a “cyber war” waged by its enemies, its commander of civil defense said on Monday. Gholamreza Jalali told the semi-official Mehr news agency that the new virus, called “Stars,” was being investigated by experts.

“Fortunately, our young experts have been able to discover this virus and the Stars virus is now in the laboratory for more investigations,” Jalali was quoted as saying. He did not specify the target of Stars or its intended impact.

“The particular characteristics of the Stars virus have been discovered,” Jalali said. “The virus is congruous and harmonious with the (computer) system and in the initial phase it does minor damage and might be mistaken for some executive files of government organisations.”

While it is interesting to figure out what “congruous and harmonious with the system” actually means, even more interesting is what kind of mischief someone in this position can conjure up and blame it on “clear and present danger to critical national infrastructure”. Many believe that Iran was successfully targeted by the Stuxnet worm. Given this history, how many would fault Iran if it decides to “hunt down” machines/entities that are helping spread this new virus against it? Will such a strategy be acceptable by the world at large? Would the US or China or for that matter India be able to use similar logic to implement an active defense strategy? How can the international community verify Iran’s claims?

Minister of State for Communications & Information Technology has provided the official version of the impact of Stuxnet on critical infrastructures in India. In a reply to a written question in Rajya Sabha on 11th March, he provided the information that:

Some computer systems in India were also infected by the Stuxnet, but none of the infections have so far been reported in sensitive Industrial systems.

He then goes on to explain the steps being taken to tackle the problem of virus and protection of sensitive installations in the country, which includes the use of alerts and advisories being produced by CERT-In and workshops being conducted by it. With such a mandate one would assume CERT-In is on the top of things at least when it comes to issuing advisories. Not so! They issued the advisory on Stuxnet on July 23rd 2010, long after Virusblokada reported W32.Stuxnet (June 17), Microsoft issued the advisory 2286198 (July 16) and after Siemens report that it is investigating reports that the malware is infecting the SCADA systems (July 19). With such a lag in issuing the advisory, it would be hard to give CERT-In any credit for the reported absence of Stuxnet in “sensitive Industrial systems”.

As usual these official press releases opens up more questions. For one, where exactly were the computer systems that were infected by Stuxnet found? This is second to the more intriguing question – what is with the title of the press release – “Protection of Sensitive Installations from but ‘Free Virus’”?

US President Barack Obama announced last year that America’s digital infrastructure is a “strategic national asset,” and set up a new Cyber Command headed by the director of the National Security Agency, signaling the importance of cyberpower in a nation’s internal and foreign policy. “Cyberpower and National Security” is one of the most comprehensive and scholarly books available on the topic of cyberpower.

The book is divided into six broad sections. The first three chapters form the foundation section that aims to identify and discuss major policy issues and formulate a preliminary theory of cyberpower. Chapter 1 looks at the key policy issues, categorizing them into structural and geopolitical. Chapter 2 establishes a common vocabulary for the cyber domain, with definitions for key concepts of cyberspace, cyberpower, and cyber strategy. Chapter 3 presents the initial theory of cyberpower.

Chapters 4 to 9 form the second section, “Cyberspace.” Chapter 4 looks at structural elements that constitute cyberspace, while chapter 5 identifies vulnerabilities affecting the critical national infrastructure of the US, including power grids, communication systems, and cyberspace infrastructure. In chapter 6, the authors look at trends in cyberspace: proliferation of broadband, the move to Internet protocol, version 6 (IPv6), increasing software complexity, the rise of online communities, and so on. Chapter 7 looks at the information security issues affecting the Internet, both on a small and large scale. Chapter 8 raises several policy issues that the authors think are relevant to the future of cyberspace, including security, identity, and location-aware computing, while chapter 9 explores the biotech revolution and the blurring of lines between humans and technology.

Section 3, “Military Use and Deterrence,” consists of four chapters. Chapter 10 looks at environmental power theories, compares them to cyberpower, and comes up with common features. Chapter 11 considers the question of whether networking operators do indeed improve operational effectiveness. Chapter 12 provides an overview of the cyberspace and cyberpower initiatives undertaken by the military, and chapter 13 looks at the contentious issue of the deterrence of cyber attacks.

The chapters in section 4, “Information,” look at the power of information and its role in the military and government. Chapter 14 examines the strategic influence of cyberspace information on international security. Chapter 15 explores the challenges associated with influence operations at the tactical level, while chapter 16 looks at the related issue of how information and communication technology and strategy can influence stability operations. This topic is further pursued in chapter 17, which analyzes various policy and institutional activities.

Section 5, composed of three chapters, looks at the way cyberpower can empower nations, terrorists, and criminals. Chapter 18 considers the way crime has advanced in cyberspace, especially the use of cyberspace by organized crime to further their agenda. Chapter 19 tries to scope the term “cyber terrorism,” and considers the debated question of whether it exists or is just a myth. Chapter 20 looks at the use of cyberspace by China and Russia.

In the last section, chapter 21 looks at the complex and sensitive issue of Internet governance and how the US can achieve “Internet influence” in the face of pressure from other nations. Chapter 22 discusses legal issues associated with cyber warfare, particularly two classes of problems: lawful resort to force and use of force in wartime. Chapter 23 provides a critical assessment of the US federal efforts to protect critical infrastructure. The last chapter pushes for setting up a Cyber Policy Council to provide a structured solution to some of the vexing problems in the area.

Compared to other books on the topic [1,2], this book is very detailed and theoretical in its coverage. Given its comprehensive coverage, it should be read and digested by those who have more than a passing interest in cyberpower and cyber strategies but with a liking for a more scholarly treatment of the problem space.

1)

Carr, J. Inside cyber warfare. O’Reilly, Sebastopol, CA, 2009.

2)

Clarke, R.A.; Knake, R. Cyber war: the next threat to national security and what to do about it. Ecco, New York, NY, 2010.

This blog has been silent for some time but that if all goes well, that will change from now. In order to get to up to date with the happenings on the “cyberwar” front, here are couple of interesting articles that have been published in the last couple of months:

“The dawn of offensive cyber-warfare” has brought with it highly sophisticated target selection that goes beyond attacking virtual assets like websites and banking front-ends. The latest in the line is the Stuxnet epidemic that targeted a specific electronic chip apparently used in Iranian nuclear reactors. One expert even attributed a malfunction in INSAT-4B to Stuxnet because it used the same electronic chip.

In the current cyber defense climate, traditional military or political approaches to deter attacks are ineffective because of the problem of attribution, i.e. identifying the attacker. The anonymity afforded by the internet administrative regime not only works to the advantage of much needed individual freedoms but also provides a veil behind which attackers hide. With the potential for taking down banks, power grids, stock exchanges and medical systems, cyber attacks can now have devastating effect on lives and economies.

Attempts to attribute cyber attacks normally focus exclusively on cyber world. This, however, is a sure-shot path to attribution hell. Just like the victims have to deal with the physical-world aspects of an attack, the attackers too are limited by it. The interconnections between the virtual and the physical world is an observation on which an early warning system can be built. Consider therecentreports of Chinese internet hijack. It was observed that internet traffic that should not have been flowing into computers in China actually was being diverted there. Based on who you ask, the amount of traffic diverted into a particular Chinese ISP ranged from 1% to 15% of all the traffic on the internet. The diversion used a weakness in the way traffic over the internet is routed from the source to destination. Regardless of whether it was actually a hijack, a configuration mistake or a trial run, the fact remains that this weakness in internet is a powerful tool in the hands of state and non-state actors for snooping on confidential data. Such an exercise would require massive resources in terms of processing power, data storage, power and cooling and trained manpower. It would require months of preparation in order to get the server farms operating at maximum performance and for developing tools for analysing the huge amount of data captured. Each one of the variables above would require an administrative backend in order to enable the setting up of such server farms. It would need the appropriate human resources to run the farms, leading to the need for recruitment and training. It would need equipment which would have to be manufactured or procured. Manufacturing in turn will need raw materials which could come from almost anywhere in the world today. On the one hand, the large number of variables can make it a difficult exercise when it comes to tracking supplies of such equipment and raw materials. On the other hand, it increases the number of interactions that need to take place with the physical world in order to undertake a cyber operation of that scale. An argument can be made that the larger number of sources of raw materials makes observation harder but businesses are already using advanced data analytics to mine similar information in order to gain a competitive edge. Spikes in power consumption, sales of microchips, storage media and specialised cooling equipment are just some of the other obvious signs that such a project is being undertaken. And surely enough, these are exactly the kind of things that traditional intelligence gathering and analysis excels at. Remember how the unusual supply movement in the areas opposite Kargil were interpreted correctly by some as a sign of enhanced operational readiness of Pakistan Army?

In the case of China, with its massive manufacturing base, it could be argued that the equipment could be sourced internally. However, there are so many raw materials that go into setting up an operation of this scale that a persistent supply chain expert should be able to identify relevant flows for use in cyber early warning or cyber forensics.

Measures taken by states make it tougher to see through the mask of purchases for cyber operations. As the USCC report points out, in China, a large onus for censorship is offloaded to private enterprises, with Baidu as an example of how US capital and US board-members run a company that engages in such censorship. Of course, the work-around would be to analyse regulations in China, again pointed out by the USCC report, that “provide unfair advantage to homegrown technology companies” and watch those companies that benefit from them. Such tasks are well within the duties and expertise of agencies that deal with economic intelligence. It is time that such traditional strengths be used in attributing cyber attacks.

An argument could be made that cyber early warning would not be feasible against a silent multi-month effort like that against Indian government and Tibetan computers. True, there are major differences. For one, the alleged reason the Tibetan government officials suspected an espionage angle was because, during negotiations, Chinese officials were already well-prepared with counter-arguments against the Tibetan positions. As the Shadows in the Cloud report alleges, this was because the secret negotiation papers were exfiltrated by malware installed on Tibetan computers. The point to remember is that a cyber early warning system attempts to overcome the attribution problem. It cannot help if a system’s security mechanisms are broken and basic access policies to confidential data are absent or ignored. This is a system and network security problem and cannot be solved within the scope of an attribution system.

Physical-world indicators can help in attribution. A sophisticated early warning or alarm system can even help predict attacks rather than just help in attribution after an attack. Such a system would require aggregation of indicators from other fields like politics and military. Analysis of such indicators is already performed as part of traditional intelligence-gathering and there is no reason why such collection and analysis cannot be extended to track cyberwar operations. Interested readers can find the theoretical framework behind cyber early warning developed by Ned Moran discussed in Jeffrey Carr’s excellent book, Inside Cyber Warfare: Mapping the Cyber Underworld.